GraphRAG under Fire
Jiacheng Liang, Yuhui Wang, Changjiang Li, Rongyi Zhu, Tanqiu Jiang, Neil Gong, Ting Wang
TL;DR
GraphRAG under Fire evaluates the security of GraphRAG, a graph-based RAG system, revealing that while standard poisoning attacks lose effectiveness due to graph-based indexing and reasoning, new vulnerabilities emerge that allow scalable, multi-query poisoning. The authors introduce GragPoison, a text-driven attack that identifies shared graph relations and injects competing relations with reinforcing narratives, achieving high attack success rates across multiple domains with limited poisoned text. A comprehensive set of ablations demonstrates the importance of relation selection, narrative techniques, and graph scale, and extensions show applicability to targeted attacks and alternative GraphRAG variants. The work also discusses defenses, finding that paraphrasing, model knowledge referencing, CoT consistency, detection, and provenance-aware scoring provide limited protection, highlighting the need for provenance-aware retrieval and robust graph-aware defenses.
Abstract
GraphRAG advances retrieval-augmented generation (RAG) by structuring external knowledge as multi-scale knowledge graphs, enabling language models to integrate both broad context and granular details in their generation. While GraphRAG has demonstrated success across domains, its security implications remain largely unexplored. To bridge this gap, this work examines GraphRAG's vulnerability to poisoning attacks, uncovering an intriguing security paradox: existing RAG poisoning attacks are less effective under GraphRAG than conventional RAG, due to GraphRAG's graph-based indexing and retrieval; yet, the same features also create new attack surfaces. We present GragPoison, a novel attack that exploits shared relations in the underlying knowledge graph to craft poisoning text capable of compromising multiple queries simultaneously. GragPoison employs three key strategies: (i) relation injection to introduce false knowledge, (ii) relation enhancement to amplify poisoning influence, and (iii) narrative generation to embed malicious content within coherent text. Empirical evaluation across diverse datasets and models shows that GragPoison substantially outperforms existing attacks in terms of effectiveness (up to 98% success rate) and scalability (using less than 68% poisoning text) on multiple variations of GraphRAG. We also explore potential defensive measures and their limitations, identifying promising directions for future research.
